38 | P a g e If a result does not return with secret, the feature is not enabled

hostname#show run | incl username

Remediation:

Create a local user with an encrypted, complex (not easily guessed) password.

hostname(config)#username <LOCAL_USERNAME> secret <LOCAL_PASSWORD>

Impact:

Organizations implementing 'username secret' across their enterprise reduce the risk of unauthorized users gaining access to Cisco IOS devices by applying a MD5 hash and encrypting user passwords.

Default Value:

No passwords are set by default References:

1. http://www.cisco.com/en/US/docs/ios-xml/ios/security/s1/sec-cr-t2- z.html#GUID-5071E577-5249-4EA1-9226-BD426BEAD5B9

39 | P a g e SNMP read access allows remote monitoring and management of the device.

Audit:

Verify the result reads "SNMP agent not enabled"

hostname#show snmp community

Remediation:

Disable SNMP read and write access if not in used to monitor and/or manage device.

hostname(config)#no snmp-server

Impact:

Organizations not using SNMP should require all SNMP services to be disabled by running the 'no snmp-server' command.

References:

1. http://www.cisco.com/en/US/docs/ios-xml/ios/snmp/command/nm-snmp-cr- book.html

1.5.2 Unset 'private' for 'snmp-server community' (Scored)

Profile Applicability:

• Level 1 Description:

An SNMP community string permits read-only access to all objects.

Rationale:

The default community string "private" is well known. Using easy to guess, well known community string poses a threat that an attacker can effortlessly gain unauthorized access to the device.

Audit:

Perform the following to determine if the public community string is enabled:

Ensure ^private does not show as a result

hostname# show snmp community

40 | P a g e Remediation:

Disable the default SNMP community string "private"

hostname(config)#no snmp-server community {private}

Impact:

To reduce the risk of unauthorized access, Organizations should disable default, easy to guess, settings such as the 'private' setting for snmp-server community.

References:

1. http://www.cisco.com/en/US/docs/ios-xml/ios/snmp/command/nm-snmp-cr- s2.html#GUID-2F3F13E4-EE81-4590-871D-6AE1043473DE

1.5.3 Unset 'public' for 'snmp-server community' (Scored)

Profile Applicability:

• Level 1 Description:

An SNMP community string permits read-only access to all objects.

Rationale:

The default community string "public" is well known. Using easy to guess, well known community string poses a threat that an attacker can effortlessly gain unauthorized access to the device.

Audit:

Perform the following to determine if the public community string is enabled:

Ensure public does not show as a result

hostname# show snmp community

Remediation:

Disable the default SNMP community string "public"

hostname(config)#no snmp-server community {public}

Impact:

41 | P a g e To reduce the risk of unauthorized access, Organizations should disable default, easy to guess, settings such as the 'public' setting for snmp-server community.

References:

1. http://www.cisco.com/en/US/docs/ios-xml/ios/snmp/command/nm-snmp-cr- s2.html#GUID-2F3F13E4-EE81-4590-871D-6AE1043473DE

1.5.4 Do not set 'RW' for any 'snmp-server community' (Scored)

Profile Applicability:

• Level 1 Description:

Specifies read-write access. Authorized management stations can both retrieve and modify MIB objects.

Rationale:

Enabling SNMP read-write enables remote management of the device. Unless absolutely necessary, do not allow simple network management protocol (SNMP) write access.

Audit:

Perform the following to determine if a read/write community string is enabled:

Verify the result does not show a community string with a "RW"

hostname#show run | incl snmp-server community

Remediation:

Disable SNMP write access.

hostname(config)#no snmp-server community {write_community_string}

Impact:

To reduce the risk of unauthorized access, Organizations should disable the SNMP 'write' access for snmp-server community.

References:

42 | P a g e 1. http://www.cisco.com/en/US/docs/ios-xml/ios/snmp/command/nm-snmp-cr-

s2.html#GUID-2F3F13E4-EE81-4590-871D-6AE1043473DE

1.5.5 Set the ACL for each 'snmp-server community' (Scored)

Profile Applicability:

• Level 1 Description:

This feature specifies a list of IP addresses that are allowed to use the community string to gain access to the SNMP agent.

Rationale:

If ACLs are not applied, then anyone with a valid SNMP community string can potentially monitor and manage the router. An ACL should be defined and applied for all SNMP access to limit access to a small number of authorized management stations segmented in a trusted management zone. If possible, use SNMPv3 which uses authentication, authorization, and data privatization (encryption).

Audit:

Perform the following to determine if an ACL is enabled:

Verify the result shows a number after the community string

hostname#show run | incl snmp-server community

Remediation:

Configure authorized SNMP community string and restrict access to authorized management systems.

hostname(config)#snmp-server community <community_string> ro {snmp_access-list_number

|

snmp_access-list_name}

Impact:

To reduce the risk of unauthorized access, Organizations should enable access control lists for all snmp-server communities and restrict the access to appropriate trusted

management zones. If possible, implement SNMPv3 to apply authentication, authorization, and data privatization (encryption) for additional benefits to the organization.

43 | P a g e Default Value:

No ACL is set for SNMP References:

1. http://www.cisco.com/en/US/docs/ios-xml/ios/snmp/command/nm-snmp-cr- s2.html#GUID-2F3F13E4-EE81-4590-871D-6AE1043473DE

1.5.6 Create an 'access-list' for use with SNMP (Scored)

Profile Applicability:

• Level 1 Description:

You can use access lists to control the transmission of packets on an interface, control Simple Network Management Protocol (SNMP) access, and restrict the contents of routing updates. The Cisco IOS software stops checking the extended access list after a match occurs.

Rationale:

SNMP ACLs control what addresses are authorized to manage and monitor the device via SNMP. If ACLs are not applied, then anyone with a valid SNMP community string may monitor and manage the router. An ACL should be defined and applied for all SNMP community strings to limit access to a small number of authorized management stations segmented in a trusted management zone.

Audit:

Perform the following to determine if the ACL is created:

Verify you the appropriate access-list definitions

hostname#sh ip access-list <snmp_acl_number>

Remediation:

Configure SNMP ACL for restricting access to the device from authorized management stations segmented in a trusted management zone.

hostname(config)#access-list <snmp_acl_number> permit <snmp_access-list>

hostname(config)#access-list deny any log

44 | P a g e Default Value:

SNMP does not use an access list.

References:

1. http://www.cisco.com/en/US/docs/ios-xml/ios/security/a1/sec-cr-a2.html#GUID- 9EA733A3-1788-4882-B8C3-AB0A2949120C

1.5.7 Set 'snmp-server host' when using SNMP (Scored)

Profile Applicability:

• Level 1 Description:

SNMP notifications can be sent as traps to authorized management systems.

Rationale:

If SNMP is enabled for device management and device alerts are required, then ensure the device is configured to submit traps only to authorize management systems.

Audit:

Perform the following to determine if SNMP traps are enabled:

If the command returns configuration values, then SNMP is enabled.

hostname#show run | incl snmp-server

Remediation:

Configure authorized SNMP trap community string and restrict sending messages to authorized management systems.

hostname(config)#snmp-server host {ip_address} {trap_community_string} snmp

Impact:

Organizations using SNMP should restrict sending SNMP messages only to explicitly named systems to reduce unauthorized access.

Default Value:

A recipient is not specified to receive notifications.

45 | P a g e References:

1. http://www.cisco.com/en/US/docs/ios-xml/ios/snmp/command/nm-snmp-cr- s5.html#GUID-D84B2AB5-6485-4A23-8C26-73E50F73EE61

1.5.8 Set 'snmp-server enable traps snmp' (Scored)

Profile Applicability:

• Level 1 Description:

SNMP notifications can be sent as traps to authorized management systems.

Rationale:

SNMP has the ability to submit traps . Audit:

Perform the following to determine if SNMP traps are enabled:

If the command returns configuration values, then SNMP is enabled.

hostname#show run | incl snmp-server

Remediation:

Enable SNMP traps.

hostname(config)#snmp-server enable traps snmp authentication linkup linkdown coldstart

Impact:

Organizations using SNMP should restrict trap types only to explicitly named traps to reduce unintended traffic. Enabling SNMP traps without specifying trap type will enable all SNMP trap types.

Default Value:

SNMP notifications are disabled.

References:

46 | P a g e 1. http://www.cisco.com/en/US/docs/ios-xml/ios/snmp/command/nm-snmp-cr-

s3.html#GUID-EB3EB677-A355-42C6-A139-85BA30810C54

1.5.9 Set 'priv' for each 'snmp-server group' using SNMPv3 (Scored)

Profile Applicability:

• Level 2 Description:

Specifies authentication of a packet with encryption when using SNMPv3 Rationale:

SNMPv3 provides much improved security over previous versions by offering options for Authentication and Encryption of messages.

When configuring a user for SNMPv3 you have the option of using a range of encryption schemes, or no encryption at all, to protect messages in transit. AES128 is the minimum strength encryption method that should be deployed.

Audit:

Verify the result show the appropriate group name and security model

hostname#show snmp groups

Remediation:

For each SNMPv3 group created on your router add privacy options by issuing the following command...

hostname(config)#snmp-server group {group_name} v3 priv

Impact:

Organizations using SNMP can significantly reduce the risks of unauthorized access by using the 'snmp-server group v3 priv' setting to encrypt messages in transit.

Default Value:

No SNMP server groups are configured.

References:

47 | P a g e 1. http://www.cisco.com/en/US/docs/ios-xml/ios/snmp/command/nm-snmp-cr-

s5.html#GUID-56E87D02-C56F-4E2D-A5C8-617E31740C3F

1.5.10 Require 'aes 128' as minimum for 'snmp-server user' when using SNMPv3 (Scored)

Profile Applicability:

• Level 2 Description:

Specify the use of a minimum of 128-bit AES algorithm for encryption when using SNMPv3.

Rationale:

SNMPv3 provides much improved security over previous versions by offering options for Authentication and Encryption of messages.

When configuring a user for SNMPv3 you have the option of using a range of encryption schemes, or no encryption at all, to protect messages in transit. AES128 is the minimum strength encryption method that should be deployed.

Audit:

Verify the result show the appropriate user name and security settings

hostname#show snmp user

Remediation:

For each SNMPv3 user created on your router add privacy options by issuing the following command.

hostname(config)#snmp-server user {user_name} {group_name} v3 encrypted auth sha {auth_password} priv aes 128 {priv_password} {acl_name_or_number}

Impact:

Organizations using SNMP can significantly reduce the risks of unauthorized access by using the 'snmp-server user' setting with appropriate authentication and privacy protocols to encrypt messages in transit.

Default Value:

SNMP username as not set by default.

48 | P a g e References:

1. http://www.cisco.com/en/US/docs/ios-xml/ios/snmp/command/nm-snmp-cr- s5.html#GUID-4EED4031-E723-4B84-9BBF-610C3CF60E31

2 Control Plane

The control plane covers monitoring, route table updates, and generally the dynamic operation of the router. Services, settings, and data streams that support and document the operation, traffic handling, and dynamic status of the router. Examples of control plane services include: logging (e.g. Syslog), routing protocols, status protocols like CDP and HSRP, network topology protocols like STP, and traffic security control protocols like IKE.

Network control protocols like ICMP, NTP, ARP, and IGMP directed to or sent by the router itself also fall into this area.